The following issues were found
net/ipv4/tcp_output.c
2 issues
Line: 695
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*p++ = len;
}
memcpy(p, foc->val, foc->len);
if ((len & 3) == 2) {
p[foc->len] = TCPOPT_NOP;
p[foc->len + 1] = TCPOPT_NOP;
}
ptr += (len + 3) >> 2;
Reported by FlawFinder.
Line: 3763
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!syn_data)
goto fallback;
syn_data->ip_summed = CHECKSUM_PARTIAL;
memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
if (space) {
int copied = copy_from_iter(skb_put(syn_data, space), space,
&fo->data->msg_iter);
if (unlikely(!copied)) {
tcp_skb_tsorted_anchor_cleanup(syn_data);
Reported by FlawFinder.
net/bluetooth/hidp/sock.c
2 issues
Line: 144
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u16 version;
__u32 flags;
__u32 idle_to;
char name[128];
};
static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
{
void __user *argp = compat_ptr(arg);
Reported by FlawFinder.
Line: 196
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ca.flags = ca32.flags;
ca.idle_to = ca32.idle_to;
ca32.name[sizeof(ca32.name) - 1] = '\0';
memcpy(ca.name, ca32.name, 128);
csock = sockfd_lookup(ca.ctrl_sock, &err);
if (!csock)
return err;
Reported by FlawFinder.
include/trace/events/smbus.h
2 issues
Line: 60
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case I2C_SMBUS_I2C_BLOCK_DATA:
__entry->len = data->block[0] + 1;
copy:
memcpy(__entry->buf, data->block, __entry->len);
break;
case I2C_SMBUS_QUICK:
case I2C_SMBUS_BYTE:
case I2C_SMBUS_I2C_BLOCK_BROKEN:
default:
Reported by FlawFinder.
Line: 169
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case I2C_SMBUS_I2C_BLOCK_DATA:
__entry->len = data->block[0] + 1;
copy:
memcpy(__entry->buf, data->block, __entry->len);
break;
case I2C_SMBUS_QUICK:
case I2C_SMBUS_I2C_BLOCK_BROKEN:
default:
__entry->len = 0;
Reported by FlawFinder.
net/rds/message.c
2 issues
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst = hdr->h_exthdr;
*dst++ = type;
memcpy(dst, data, len);
dst[len] = RDS_EXTHDR_NONE;
return 1;
}
EXPORT_SYMBOL_GPL(rds_message_add_extension);
Reported by FlawFinder.
Line: 260
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*pos = offset + ext_len;
if (ext_len < *buflen)
*buflen = ext_len;
memcpy(buf, src + offset, *buflen);
return ext_type;
none:
*pos = RDS_HEADER_EXT_SPACE;
*buflen = 0;
Reported by FlawFinder.
include/trace/events/siox.h
2 issues
Line: 24
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->busno = smaster->busno;
__entry->devno = devno;
__entry->inbytes = sdevice->inbytes;
memcpy(__get_dynamic_array(buf),
smaster->buf + bufoffset, sdevice->inbytes);
),
TP_printk("siox-%d-%u [%*phD]",
__entry->busno,
__entry->devno,
Reported by FlawFinder.
Line: 52
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->devno = devno;
__entry->status_clean = status_clean;
__entry->outbytes = sdevice->outbytes;
memcpy(__get_dynamic_array(buf),
smaster->buf + bufoffset, sdevice->outbytes);
),
TP_printk("siox-%d-%u (%02hhx) [%*phD]",
__entry->busno,
__entry->devno,
Reported by FlawFinder.
lib/livepatch/test_klp_shadow_vars.c
2 issues
Line: 169
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int test_klp_shadow_vars_init(void)
{
struct test_object objs[NUM_OBJS];
char nfields1[NUM_OBJS], *pnfields1[NUM_OBJS], **sv1[NUM_OBJS];
char *pndup[NUM_OBJS];
int nfields2[NUM_OBJS], *pnfields2[NUM_OBJS], **sv2[NUM_OBJS];
void **sv;
int ret;
int i;
Reported by FlawFinder.
Line: 170
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct test_object objs[NUM_OBJS];
char nfields1[NUM_OBJS], *pnfields1[NUM_OBJS], **sv1[NUM_OBJS];
char *pndup[NUM_OBJS];
int nfields2[NUM_OBJS], *pnfields2[NUM_OBJS], **sv2[NUM_OBJS];
void **sv;
int ret;
int i;
Reported by FlawFinder.
lib/logic_iomem.c
2 issues
Line: 223
Column: 30
CWE codes:
120
20
if (!area) \
return real_raw_read ## op(addr); \
\
return (u ## sz) area->ops->read(area->priv, \
(unsigned long)addr & AREA_MASK,\
sz / 8); \
} \
EXPORT_SYMBOL(__raw_read ## op); \
\
Reported by FlawFinder.
Line: 293
Column: 26
CWE codes:
120
20
}
for (offs = 0; offs < size; offs++)
buf[offs] = area->ops->read(area->priv, start + offs, 1);
}
EXPORT_SYMBOL(memcpy_fromio);
void memcpy_toio(volatile void __iomem *addr, const void *buffer, size_t size)
{
Reported by FlawFinder.
net/bluetooth/rfcomm/core.c
2 issues
Line: 112
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* ---- RFCOMM FCS computation ---- */
/* reversed, 8-bit, poly=0x07 */
static unsigned char rfcomm_crc_table[256] = {
0x00, 0x91, 0xe3, 0x72, 0x07, 0x96, 0xe4, 0x75,
0x0e, 0x9f, 0xed, 0x7c, 0x09, 0x98, 0xea, 0x7b,
0x1c, 0x8d, 0xff, 0x6e, 0x1b, 0x8a, 0xf8, 0x69,
0x12, 0x83, 0xf1, 0x60, 0x15, 0x84, 0xf6, 0x67,
Reported by FlawFinder.
Line: 1097
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct socket *sock = s->sock;
struct kvec iv[3];
struct msghdr msg;
unsigned char hdr[5], crc[1];
if (len > 125)
return -EINVAL;
BT_DBG("%p cr %d", s, cr);
Reported by FlawFinder.
net/bluetooth/rfcomm/sock.c
2 issues
Line: 346
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&sa, 0, sizeof(sa));
len = min_t(unsigned int, sizeof(sa), addr_len);
memcpy(&sa, addr, len);
BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
lock_sock(sk);
Reported by FlawFinder.
Line: 816
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = conn->hcon->handle;
memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
len = min_t(unsigned int, len, sizeof(cinfo));
if (copy_to_user(optval, (char *) &cinfo, len))
err = -EFAULT;
Reported by FlawFinder.
kernel/utsname_sysctl.c
2 issues
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct ctl_table uts_table;
int r;
char tmp_data[__NEW_UTS_LEN + 1];
memcpy(&uts_table, table, sizeof(uts_table));
uts_table.data = tmp_data;
/*
Reported by FlawFinder.
Line: 61
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* at non-zero offsets to the same sysctl.
*/
down_write(&uts_sem);
memcpy(get_uts(table), tmp_data, sizeof(tmp_data));
up_write(&uts_sem);
proc_sys_poll_notify(table->poll);
}
return r;
Reported by FlawFinder.